1 FPGA Implementations of the ICEBERG Block Cipher Franc¸ois-Xavier Standaert, Gilles Piret, Gael Rouvroy, Jean-Jacques Quisquater UCL Crypto Group, Place du Levant, 3, B-1348 Louvain-La-Neuve, Belgium. e-mail: standaert,piret,rouvroy,[email protected] Abstract— This paper presents FPGA (Field Programmable The paper is structured as follows. Section 2 briefly presents Gate Array) implementations of ICEBERG, a block cipher de- the specifications of ICEBERG and Section 3 describes our signed for reconfigurable hardware implementations and pre- FPGA design methodology. Section 4 lists the combinatorial sented at FSE 2004. All its components are involutional and allow very efficient combinations of encryption/decryption. The cost of the block cipher components. The implementation implementations proposed also allow changing the key and results for various architectures are in Sect. 5 and comparisons Encrypt/Decrypt (E=D) mode for every plaintext, without any with other block ciphers are in Sect. 6. Resistance against performance loss. In comparison with other recent block ciphers, side-channel analysis is briefly discussed in Sect. 7. Finally, the implementation results of ICEBERG show a significant im- conclusions are in Sect. 8. provement of hardware efficiency. Moreover, the key and E=D agility allows considering new encryption modes to counteract certain side-channel attacks. II. SPECIFICATIONS A. Block and Key Size I. INTRODUCTION ICEBERG operates on 64-bit blocks and uses a 128-bit key. It In October 2000, NIST (National Institute of Standards is an involutional iterative block cipher based on the repetition and Technology) selected Rijndael as the new Advanced of 16 identical key-dependent round functions. In the next Encryption Standard. The selection process included subsections, we briefly present the algorithm. A more detailed performance evaluation on both software and hardware description can be found in the original paper [1]. platforms. However, as implementation versatility was a criteria for the selection of the AES, it appeared that Rijndael S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 was not optimal for reconfigurable hardware implementations. P8 P8 P8 P8 P8 P8 P8 P8 Its highly expensive substitution boxes are a typical bottleneck but the combination of encryption and decryption in hardware S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 S1 Non-Linear Layer is probably as critical. P8 P8 P8 P8 P8 P8 P8 P8 ICEBERG is a block cipher designed for efficient S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 S0 reconfigurable hardware implementations. It is based on P64 an involutional structure so that the forward and inverse D D D D D D D D D D D D D D D D ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ Diffusion + operation of the cipher may be performed with exactly the Key addition same hardware. All its components easily fit into the 4-bit P4 P4 P4 P4 P4 P4 P4 P4 P4 P4 P4 P4 P4 P4 P4 P4 1 input lookup tables of FPGAs, and its key scheduling allows P64 the round keys to be derived “on the fly” in encryption and decryption mode. In addition to hardware efficiency, the key Fig. 1. The round function. and E=D agility allows considering new encryption modes to counteract certain side-channel attacks. In practice, very low-cost hardware crypto-processors and high throughput B. The round function data encryption are potential applications of ICEBERG. The round function is pictured in Fig. 1, where we distinguish a non-linear layer and a linear diffusion layer. This paper presents FPGA implementations of ICEBERG and compares their performances with the ones of recent The non-linear layer is built from the parallel application block ciphers (e.g. AES and NESSIE candidates). Although of 8 £ 8 substitution boxes to the cipher state. For efficiency ICEBERG implementations offer features that most block purposes, these boxes are constructed from smaller 4 £ 4 ciphers do not provide (e.g. key and E=D agility), its S-boxes S0, S1 and bit permutations P 8 (i.e. 8-bit wire implementation results exhibit a significant improvement of crossings). hardware efficiency. For this purpose, we investigated various The linear diffusion layer is built from bit permutations contexts (loop and unrolled implementations, with or without P 64 (i.e. 64-bit wire crossings), bit permutations P 4 (i.e. feedback) on the recent Xilinx Virtex-IIr technology. 4-bit wire crossings), bitwise key additions (denoted as © in 1LUTs are 4-bit input function generators and constitute the basic building the figure) and small 4 £ 4 diffusion boxes D. These boxes block of most recent reconfigurable devices. perform a simple multiplication: 2 0 1 2 3 0 1 y3 0 1 1 1 x3 KeySelection(expandedkey[16],not(sel),roundkey[16]); B C 6 7 B C B y2 C 6 1 0 1 1 7 B x2 C @ A = 4 5 £ @ A y1 1 1 0 1 x1 AddRoundKey(state,roundkey[0]); y0 1 1 1 0 x0 for (i=1;i<16;i++) where every output bit is a © operation between three input f bits. It is therefore efficiently combined with the key addition Round(state,roundkey[i]); inside a single 4-input LUT. g NonLinearLayer(state); AddRoundKey(state,roundkey[16]); C. The key schedule g The key scheduling process consists of key expansion and key selection. The round constants are : C = 0 until round 8, C = 1 thereafter. A particular structure of the expanded key is The key expansion expands the cipher key K into a therefore obtained: sequence of keys K0;K1; :::; K16. We set the initial key 0 16 K0 = K. The following keys are obtained by a keyround K = K function so that : Ki+1 = keyround(Ki). K1 = K15 The keyround is pictured in Fig. 2, where we distinguish a ::: (1) P 128 conditional shift layer, bit permutations (i.e. 128-bit As a consequence, ICEBERG allows the encryption/decryption S0 wire crossings) and S-boxes . The conditional shift with exactly the same hardware (only the selection bit has to C operation depends on a round constant that will be be changed) and the expanded key may be derived “on the discussed further. fly” in encryption and decryption (the storage of round keys SHIFT Left/Right is not necessary). More details about this particular structure are available in the paper of FSE 2004. P128 S0 S0 S0 S0 S0 S0 S0 S0 .... S0 S0 S0 S0 S0 S0 III. DESIGN METHODOLOGY P128 Present reconfigurable components like FPGAs are usually SHIFT Left/Right made of reconfigurable logic blocks combined with fast access memories (RAM blocks) and high speed arithmetic circuits Fig. 2. The key round. [2], [3]. Basic logic blocks of FPGAs include a 4-input Finally, the key selection first performs a simple compression function generator (called lookup table, LUT) and a storage function that selects 64 bytes of Ki having odd indices. element. In addition, most FPGA manufacturers provide users Thereafter, a 4 £ 4 key selection box is applied in parallel with fast carry logic and particular structures of the logic to every 4-bit key-block. It performs the following boolean blocks to efficiently implement distributed memories, shift operation: registers,... A brief description of these components is given in Appendix. y(0) = (x(0) © x(1) © x(2)) ¢ sel _ (x(0) © x(1)) ¢ sel y(1) = (x(1) © x(2)) ¢ sel _ x(1) ¢ sel As reconfigurable components are divided into logic elements y(2) = (x(2) © x(3) © x(0)) ¢ sel _ (x(2) © x(3)) ¢ sel and storage elements, an efficient implementation will be the y(3) = (x(3) © x(0)) ¢ sel _ x(3) ¢ sel result of a better compromise between combinatorial logic Depending on the value of a selection bit sel, we obtain the used, sequential logic used and resulting performances. These round key RKi or RKi for the round i. observations lead to different definitions of implementation 0 1 efficiency: D. Encryption/decryption process 1) In terms of performances, let the efficiency of a block ci- pher be the ratio T hroughput (Mbits=s)/Area (LUT s; The complete cipher consists of an initial round key addition, RAM blocks). 15 rounds and a final transform. Due to the involutional 2) In terms of resources, the efficiency is easily tested by structure of every single component of ICEBERG, the computing the ratio Nbr of registers/Nbr of LUT s: E=D mode is fixed with the selection bit only: sel = 1 it should be close to one. in encryption and sel = 0 in decryption. In pseudo C, we have: ICEBERG was designed in order to allow very efficient ICEBERG(state,cipherkey,sel) FPGA implementations and our architectures are defined f in order to maximize these notions of hardware efficiency. KeyExpansion(cipherkey,expandedkey[0..16]); It practically results in the pipelining of the round and for (i=0;i<16;i++) keyround functions. Pipelining increases the encryption speed f by processing multiple blocks of data simultaneously. It is KeySelection(expandedkey[i],sel,roundkey[i]); achieved by inserting rows of registers among combinatorial g logic. Parts of logic between two consecutive registers form 3 Type # of # of Latency Out. every Freq. Throughput pipeline stages and we define the maximum pipeline as the slices RAMBs (cycles) (cycles) (Mhz) (Mbits/sec) pipeline of which the number of stages implies that the ratio Full Pipe 6808 0 66 1 297 19008 Nbr of registers/Nbr of LUT s is the closest to one (and Half Pipe 4946 0 33 1 271 17344 RAM 3132 64 33 1 210 13440 lower than one).